Breach prevention better than cure for NDB regulations, says Aleron

Australia’s Privacy Amendment (Notifiable Data Breaches) comes into effect next week (February 22). It will require all organisations with a turnover of more than $3 million to notify the Australian Information Commissioner in the event of a data breach that: compromised personal information and is likely to cause harm.

However, failing to comply with those regulations could result in hefty fines and loss in customer trust, according to cybersecurity firm Aleron.

All businesses subject to the Privacy Act need to comply with the new scheme,” says Aleron security consultant Jason Akkari.

“This includes government organisations as well as businesses and not-for-profits with an annual turnover of more than $3 million. If these businesses can demonstrate to customers that they are working hard to protect their privacy, then customers are more likely to remain loyal and it will be easier to attract new customers.”

Not all data breaches are eligible, according to the Australian Government.

“For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner. There are also exceptions to notifying in certain circumstances.”

An eligible data breach occurs when:

1. There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds,
2. This is likely to result in serious harm to one or more individuals, and
3. The entity has not been able to prevent the likely risk of serious harm with remedial action.

He says that while some organisations might have all the right measures in place, there may still be weak spots in their security that make breaches more likely.

“Prevention is definitely better than cure in this case, so it’s important for organisations to focus their efforts on making sure they minimise the risk of a data breach.”

1. Confirm whether the business is subject to the scheme.
2. Know what types of information the business’s systems hold.
3. Put security controls in place to appropriately protect data based on its confidentiality or sensitivity.
4. Put measures in place to detect potential breaches.
5. Develop a response plan to effectively react if a data breach is suspected.

Aleron has developed its own privacy audit for organisations that need to prepare for the new regulations. The audit analyses all systems that collect and store personally identifiable information to measure their alignment with the 13 Australian Privacy Principles.